On Monday, a joint report by Microsoft, PwC, and SentinelOne claimed that the recently outed advanced persistent threat (APT) actor Sandman is linked to China. The security researchers highlighted links between Sandman APT attacks and STORM-0866/Red Dev 40 operations, a suspected China-based threat actor.

• Sandman originally stood out due to their use of the sophisticated modular backdoor LuaDream. STORM-0866/Red Dev 40 operations similarly used the KeyPlug backdoor. Chinese state-sponsored group APT41 originally developed the KeyPlug backdoor, but Microsoft and PwC identified multiple instances of other China-linked threat actors using this tool.
• China-linked threat actors have used the LuaDream and KeyPlug backdoors in the same victim environments and endpoints. In one May 2023 operation, threat actors deployed KeyPlug and LuaDream on the same target system, where the two backdoors remained active for about two weeks. The two backdoors use identical encryption keys and support the same protocols for command and control. SentinelOne assessed that there are strong overlaps in TTPs between the Sandman APT and China-based threat actors using the KeyPlug backdoor.

Read More:

https://www.securityweek.com/sandman-cyberespionage-group-linked-to-china/